tomcat-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2021-30639 Apache Tomcat DoS
Date Mon, 12 Jul 2021 13:03:15 GMT
CVE-2021-30639 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64

Description:
An error introduced as part of a change to improve error handling during 
non-blocking I/O meant that the error flag associated with the Request 
object was not reset between requests. This meant that once a 
non-blocking I/O error occurred, all future requests handled by that 
request object would fail. Users were able to trigger non-blocking I/O 
errors, e.g. by dropping a connection, thereby creating the possibility 
of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this 
vulnerability.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later

History:
2021-07-12 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html





Mime
View raw message